SharePoint springs a leak.

The National Nuclear Security Administration was among the organizations impacted by the SharePoint zero-day. Experts testify before congress that OT security still lags.The FBI warns healthcare and critical infrastructure providers about Interlock ransomware. New York proposes new cybersecurity regulations for water and wastewater systems along with grants to fund them. Researchers uncover an active cryptomining campaign targeting cloud environments. A new variant of the Coyote banking trojan exploits Microsoft’s Windows UI Automation (UIA) framework for credential theft. The DoD pilots an agentic AI project aimed at helping military planners critique and enhance war plans. Clorox sues its former IT service provider for $380 million. Our guest is Tim Starks from CyberScoop discussing sanctions on Russian hackers and spies. Pirate Prime, do the time.

Today is Wednesday July 23rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The National Nuclear Security Administration was among the organizations impacted by the SharePoint zero-day. 

Continuing our coverage of the Microsoft SharePoint zero-day exploit, new reports reveal that the National Nuclear Security Administration was among the over 50 organizations impacted. Bloomberg reports that the agency, which supplies nuclear reactors for U.S. Navy submarines, was affected by the vulnerability, though no classified data appears to have leaked. The Department of Energy credits its use of Microsoft 365 cloud services and strong cybersecurity practices for limiting the breach’s impact to just a few systems, which are now being restored. The exploit, tied to two bugs revealed at May’s Pwn2Own hacking contest, allowed attackers remote access to SharePoint servers. Microsoft has since issued patches for all affected versions. The breach is linked to Chinese state-affiliated actors, adding to growing concerns over foreign targeting of critical infrastructure.

Experts testify before congress that OT security still lags. 

A congressional hearing by the Homeland Security Subcommittee on Cybersecurity reviewed the growing threat to U.S. critical infrastructure, 15 years after the discovery of the Stuxnet worm. Journalist Kim Zetter, author of the book Stuxnet: Countdown to Zero Day, shared her own insights. Stuxnet marked the beginning of cyber tools causing real-world physical damage, targeting Iran’s nuclear program. Experts testified that operational technology (OT)—the systems running critical services like water, energy, and transportation—remains dangerously vulnerable. Robert M. Lee, CEO of Dragos, shared this testimony. Witnesses emphasized that OT security still lags behind IT, leaving sectors exposed to ransomware, malware, and state-sponsored threats, especially from Iran and China. Calls were made to reauthorize key laws like the Cybersecurity Information Sharing Act and to boost funding for the state and local cybersecurity grant program. Panelists urged clear federal guidance, public-private collaboration, and a shift from general IT approaches to OT-specific strategies. They warned that without decisive action, the U.S. risks catastrophic failures in critical systems during future cyber conflicts.

A major private healthcare provider in Central Europe reports a breach that forced a shutdown of its digital systems. 

AMEOS Group, a major private healthcare provider in Central Europe, reported a July 7 breach that forced a shutdown of its digital systems, disrupting communications and data transmission across clinics in Switzerland, Germany, and Austria. Patient care and emergency services remained unaffected. The nature of the attack is unknown, with an investigation underway by Saxony-Anhalt police. AMEOS has notified data protection authorities and warned patients to watch for phishing and scams.

The FBI warns healthcare and critical infrastructure providers about Interlock ransomware. 

The FBI is warning healthcare and critical infrastructure providers about Interlock, a ransomware group active since late 2024. Interlock uses unusual initial access methods, including drive-by downloads and fake browser updates, to infect systems. It has targeted organizations in North America and Europe, including attacks on DaVita and a major Ohio healthcare system. The group’s ransom notes lack payment details, requesting contact instead. Officials say Interlock targets victims opportunistically and may be linked to the Rhysida group. Ransom demands are made in Bitcoin.

New York proposes new cybersecurity regulations for water and wastewater systems along with grants to fund them. 

New York has proposed new cybersecurity regulations for water and wastewater systems, alongside a $2.5 million grant program to help fund compliance. The rules would require systems serving over 3,300 residents to implement cybersecurity programs, conduct risk assessments, report incidents within 24 hours, and train staff. Larger systems must also appoint a cybersecurity executive. While the grants aim to ease costs, expenses could reach up to $5 million annually for major systems. The regulations, aligned with EPA and CISA guidance, follow growing threats from ransomware and state-backed attacks. Public comment is open until September, with full compliance expected by 2027. Officials acknowledge costs may burden taxpayers or ratepayers but emphasize the need for proactive security amid federal retreat from state-level support.

Researchers uncover an active cryptomining campaign targeting cloud environments. 

Wiz Research has uncovered an active cryptomining campaign dubbed “Soco404,” targeting cloud environments via misconfigurations and vulnerabilities—especially in PostgreSQL. The attackers exploit exposed Linux and Windows systems, using fake 404 pages, compromised servers, and process masquerading to deliver and hide malware. Persistence is achieved through cron jobs and shell scripts. Payloads are hosted on legitimate but compromised infrastructure and fraudulent crypto-trading websites. Once inside, the malware removes competitors, hides traces, and mines cryptocurrency using pools like c3pool and moneroocean. The Windows variant uses built-in tools like certutil and PowerShell to deliver payloads, and embeds a driver to boost mining performance. The campaign is linked to a broader crypto-scam network, showing signs of long-term, automated, and opportunistic operations. Nearly 90% of cloud environments self-host PostgreSQL, making this a high-risk attack vector. The campaign remains active.

A new variant of the Coyote banking trojan exploits Microsoft’s Windows UI Automation (UIA) framework for credential theft.

A new variant of the Coyote banking trojan is actively exploiting Microsoft’s Windows UI Automation (UIA) framework to identify banking and cryptocurrency websites for credential theft. UIA, designed for accessibility, allows apps to inspect and interact with UI elements—features now being abused to evade detection. First observed in February 2025, this marks the first real-world attack using UIA for data theft. Coyote is hard-coded to target 75 specific financial services, mostly in Brazil, and uses UIA to detect URLs in browser tabs when traditional methods fail.

The DoD pilots an agentic AI project aimed at helping military planners critique and enhance war plans. 

The U.S. Department of Defense’s Defense Innovation Unit is piloting Thunderforge, an agentic AI project aimed at helping military planners critique and enhance war plans. Thunderforge uses multiple AI agents to analyze plans across domains like logistics, cyber, and intelligence, flagging potential weaknesses. The system integrates with DOD simulations like DARPA’s SAFE-SiM and is backed by Scale AI, Microsoft, and Anduril. Tested in June by INDOPACOM, Thunderforge is designed to shift human users from micromanaging tasks to strategic oversight. However, experts warn of risks, including opaque decision-making, hallucinated outputs, and overreliance on flawed models. Researchers emphasize the need for explainability, continuous adversarial testing, and human oversight. Benchmarking studies show LLMs vary in bias and escalation tendencies, underscoring the importance of model selection. While promising, Thunderforge must prove resilient in wartime conditions, where systems face degraded information and adversarial interference. Human commanders retain final authority in all operational decisions.

Clorox sues its former IT service provider for $380 million, claiming the firm’s negligence enabled a devastating cyberattack. 

Clorox is suing its former IT service provider, Cognizant, for $380 million, claiming the firm’s negligence enabled a devastating August 2023 cyberattack. Filed in California Superior Court, the lawsuit alleges Cognizant failed to verify the identity of a caller before granting access to Clorox’s network—violating established password and authentication protocols. The attacker, linked to a known cybercriminal group, used the credentials to disrupt Clorox’s operations, causing weeks-long outages and at least $49 million in damages. Call recordings reportedly confirm Cognizant handed over access without security checks. Clorox’s legal counsel described the failure as “indefensible.” The breach halted production, strained supply chains, and forced Clorox to scale back its 2030 sustainability goals. Cognizant had served Clorox for over a decade under a long-standing IT services agreement.

Pirate Prime, do the time. 

Kristopher Lee Dallmann, founder of the pirated streaming empire Jetflicks, has earned himself a seven-year federal sentence—less binge-worthy, perhaps, than the 183,000 TV episodes his platform once offered, but certainly more exclusive. Jetflicks, which operated from 2007 to 2019, was essentially Netflix without the licensing fees or moral overhead. Dallmann and his colleagues automated the theft of shows from legitimate sources like Hulu and Amazon, repackaged them for tens of thousands of paying subscribers, and called it innovation.

The Justice Department estimates the operation caused $37.5 million in damages—roughly the cost of a mid-tier prestige drama, minus the Emmys. Dallmann was convicted of money laundering and various flavors of copyright infringement. His setup delivered shows faster than most legal platforms, which is impressive in a way, if entirely illegal. Prosecutors say the scheme eroded creative industries and flouted the rule of law. Dallmann, for his part, has now secured a much more confined viewing experience.

 And that’s the CyberWire Daily. For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.